Online Article

Effective Audit Committee Oversight Starts With Effective Enterprise Risk Management

By Vanessa Teitelbaum

10/17/2024

Audit Committee Online Article Enterprise Risk Management

Understanding and managing risks effectively is crucial for any business to guard against disruption to operations, reputational damage, and viability. Enterprise risk management (ERM) offers a structured approach to identify, assess, and mitigate risks with the potential for serious consequences if not managed properly. Unlike traditional risk management, which focuses on individual risks in isolation, ERM integrates risk considerations into the organization’s strategic planning and decision-making processes.

As part of the ongoing Audit Committee Effectiveness webinar series presented by the Center for Audit Quality (CAQ) and NACD, I spoke with Brian Schwartz, a partner with PwC’s Governance Insights Center, and David Herzog, MetLife’s audit committee chair,  about ERM.

What is ERM?

The needs and risks of a particular business vary, depending on unique factors such as the industry of a business, the size and scope of operations, and the breadth of third and fourth parties the company interacts with. For instance, the risks posed by an information technology failure will likely be different for customers of Robinhood Markets if they can’t place buy or sell orders than for those buying a Deere and Co. product who cannot connect with customer service for a short period. Both are serious, but the extent of reputational and operational risks differs for both companies. Ultimately, the goal of a well-developed and well-managed ERM process is to guide decision-making through a governance lens. Schwartz described ERM as “a set of processes across a company that enables it to identify, prioritize, manage, monitor, mitigate, and report on a set of key business risks that align with the company’s strategic plan, initiatives, and priorities.”

Done well, ERM protects and enables a company through the management of risks with clarity on how much risk is acceptable and what poses the greatest risk.

Defining risks can be challenging but is necessary. As Schwartz discussed, the risks included in an ERM process will typically fall into one of four categories: strategic, operational, financial, or compliance. Risk should be further defined and ranked within each category to help inform what actions need to be taken when a risk event occurs.

ERM is more than, and different from, an annual risk assessment. ERM should be informed by annual assessments, but ERM functions similar to a dashboard that anticipates the interconnectedness of risks and what to do when a triggering event becomes a reality for the business.

The Board and ERM

While responsibility for creating the ERM process lies with management, the board should pay attention to ERM on several fronts. In our discussion, Herzog made the point that the role of the board is to “challenge, inspect, and review” and the same applies to management’s ERM process.

How a board delegates responsibility for oversight and monitoring of the ERM process varies, but there are common practices across companies. According to the 2024 Audit Committee Practices Report: Common Threads Across Audit Committees, produced by CAQ in partnership with Deloitte, 47 percent of audit committees have primary responsibility for oversight of ERM, while full boards (35%) and risk committees (15%) have the primary responsibility less frequently. Herzog explained that MetLife has a finance and risk committee of the board with primary oversight responsibility for ERM. Meanwhile, according to Herzog, the audit committee at DXC Technology is responsible for ERM oversight.

How frequently ERM is a topic of discussion at board or committee meetings is also a decision for each board to make. For DXC Technology, the audit committee includes ERM on its agenda quarterly. This cadence aligns with the findings of the Audit Committee Practices Report, with 49 percent of boards or committees with ERM responsibility surveyed having it on the agenda quarterly, 28 percent having it on the agenda semiannually, and 20 percent having it on the agenda annually.

Importantly, boards need to remain aware of emerging risks and ask management about the effects on ERM. To help with their oversight role, Schwartz suggested that boards request tools from management to help them assess risk. These tools could include the results of periodic risk assessments, the results of key risk indicators (KRIs) that help measure key business risks and monitor how the company is doing against each risk appetite definition, and a list of the emerging risks that management is most trying to plan for so that boards can be aware of them. 

This becomes particularly important in anticipating potential emerging risks, especially unknown risks which can be challenging. Potential emerging risks can include changing regulatory compliance issues, new cyber threats, geopolitical risks as a result of elections, or even new relationships with suppliers. Some of these potential risks, such as regulatory changes, are easier to predict and plan for, but others, such as market disruptions and geopolitical risks, can be harder to anticipate.

Priorities for Boards

Effective ERM is crucial for achieving organizational objectives, safeguarding the company’s reputation and stakeholder relationships, and ensuring long-term success. By overseeing the ERM process and proactively identifying and addressing emerging risks, audit committee members can effectively fulfill their oversight responsibilities in an increasingly complex risk environment.

All companies, but particularly those with less frequent risk assessments, should consider developing a list of triggering events that would initiate a risk assessment outside of their usual cycle. This dynamic approach to ERM monitoring prepares boards and management to adapt when an issue arises. Schwartz articulated that the right ERM framework creates an environment in which good risk-taking is incentivized and bad risk-taking is disincentivized so that companies can make risk-informed decisions.

Ultimately, ensuring that the right people are thinking about ERM will create an environment for a strong and healthy ERM process. As Herzog made clear, a diverse board with diverse backgrounds that considers different perspectives will be in a better position to perform its oversight responsibilities and support management.

CAQ is a NACD partner, providing directors with critical and timely information, and perspectives. CAQ is a financial supporter of the NACD.

Vanessa Teitelbaum, CPA, is senior director on the Professional Practice team at the Center for Audit Quality. She joined the CAQ in 2016 and advocates for stakeholders in the audits of public companies.